-
Notifications
You must be signed in to change notification settings - Fork 5.3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
minio cannot handle special characters in LDAP distinguished names #18853
Comments
@mcpride can you provide the LDAP search output? |
I had to fake and shorten (3 dots) it a bit to not publish our company data ("Max Mustermann" is in germany like "John Doe") but here is the result of a typical ldapsearch command like
|
The error can be traced back relatively clearly to the different handling of the names of files or directories under Unix/Linux and Windows. Under Windows, the following characters are not allowed and lead to errors: This is also the reason why the AssumeRoleWithCertificate feature does not work under Windows, as a colon is used in the directory name for differentiation (see #18865). Minio needs a differentiated file system handling for different platforms (see also the following suggestion: https://stackoverflow.com/questions/1976007/what-characters-are-forbidden-in-windows-and-linux-directory-names/61448658#61448658). At least the use of |
@harshavardhana @donatello @klauspost We will save that json. But the path have "\," see Lines 200 to 209 in 1d3bd02
if we open that. The path will lose the first. will save as Max,OU=Desktop Users,OU=Users,OU=BER,OU=EMEA,DC=ENTERPRISE,DC=corp.json , Not CN=Mustermann\, Max,OU=Desktop Users,OU=Users,OU=BER,OU=EMEA,DC=ENTERPRISE,DC=corp.json in windows.Maybe base64 could be ok. But that's not good for old data. |
Could a replacement with special unicode chars - as used here: https://github.com/DDR0/fuseblk-filename-fixer - be a solution? |
New release normalizes the LDAP DNs can you try our latest release? @mcpride |
Same problem with characters like <?xml version="1.0" encoding="UTF-8"?>
<ErrorResponse xmlns="https://sts.amazonaws.com/doc/2011-06-15/">
<Error>
<Type></Type>
<Code>InvalidParameterValue</Code>
<Message>LDAP server error: LDAP auth failed for DN cn=Leandro,ou=Seguran\c3\a7a,dc=com,dc=br: LDAP Result
Code 49 "Invalid Credentials": 80090308: LdapErr: DSID-0C090449, comment:
AcceptSecurityContext error, data 52e, v3839�</Message>
</Error>
<RequestId>17C7255A2A1EB657</RequestId>
</ErrorResponse> if renamed the |
wait are you saying that AD is returning back this error? @ordnaelmedeiros so a normalized entity is failing the auth. What we need to do is only save the normalized user but never perform LDAP query from it? |
weird behavior :) |
So it is an error in authenticating the user. |
This should be already handled in the latest master, and also with the new release scheduled for today. |
Expected Behavior
A policy can be assigned to a user with a matching DN using the mc idp ldap policy attach command.
Current Behavior
At least in minio for windows with filesystem storage DNs with some special characters included fails if you try to assign a policy with the mc idp ldap policy attach command.
Example:
Error in cmd:
Error in wsl2 bash:
Possible Solution
Minio needs to respect escaped characters in DNs (see also: https://www.rlmueller.net/CharactersEscaped.htm). At least for usage in file system based storages the usage of the raw DN needs to be sanitized or hashed.
Steps to Reproduce (for bugs)
consoleAdmin
policy to a user with a comma in it's CNContext
A typical ActiveDirectory related configuration of the STS LDAP endpoint may not work correctly.
Regression
Your Environment
minio --version
): minio.exe version RELEASE.2024-01-18T22-51-28Z (commit-id=19387cafab76133c2e7642de4aac8c81b9f4f8c7) Runtime: go1.21.6 windows/amd64uname -a
): Linux ****** 5.15.133.1-microsoft-standard-WSL2 1 SMP Thu Oct 5 21:02:42 UTC 2023 x86_64 x86_64 x86_64 GNU/LinuxThe text was updated successfully, but these errors were encountered: